About Pras

Pras · ‎01-08-2024

@pbezouska Hello, How do you perform FSCK and wiping panlogs ? Thanks, Pras

Pras · ‎11-27-2023

@buzor.okoye That's exactly that had happened. After the plugin update the issue got resolved. Thanks a lot for your feedback. PS sorry for the delayed response as I was away for a while.

Pras · ‎10-25-2023

@MayurLaddha45454545: Thanks !!!! I forgot to update here but that's exactly what was done to resolve the issue, manually sync'd the config and then restarted the Firewalls, as you said.

Pras · ‎10-15-2023

@Raido_Rattameister Yes thats correct. ips are different in both Fws and Yes, zone pushed from Panorama. Also this was working fine before. Forgot to mention, with all this happening with HA ,the Panorama actually says its in sync and theres no issue there. Note: No zombie processes are running on the firewalls but the sysd msg and "Peer namespace on peer device missing too long, trying to restart" msg seem to be the clue for the issue. Thanks

Pras · ‎10-14-2023

Hi Guys. I have a Palo 220 in HA A/P managed by the panorama. The customer made mgmt IP change and Added a Zone but then ever since the config is out of Sync Between the HA pairs. So all the articles are referenced, request high-availability sync-to-remote running-config' has been performed from both passive and active fw, force committed, pushed the template values from Panorama with all the force values and others selected, nothing works. Pano is on 9.1.16 and the Firewalls are on 9.1.14-h4. the only option left is to manual sync from the xml file which the customer is hesitant to do. ha-agent logs gives below error from the passive Firewall (Peer namespace on peer device missing too long, trying to restart) LV[3]: type 11 (SYSD_PEER_DOWN); len 4; value: 00000001 Msg Hdr ------- version : 1 groupID : 1 type : Hello (2) token : 0x1b4e flags : 0x1 (req:) length : 122 Hello Msg --------- flags : 0x1 (preempt:) state : Active (5) priority : 100 cookie : 17043 num tlvs : 3 Printing out 3 tlvs TLV[1]: type 62 (CONFIG_MD5_PRE); len 33; value: 62656362 63383863 64663634 36636336 39373337 32356162 39373436 64333362 00 TLV[2]: type 2 (CONFIG_MD5SUM); len 33; value: 35653537 63313638 36646165 66623137 39323163 38306263 31663966 33333466 00 TLV[3]: type 11 (SYSD_PEER_DOWN); len 4; value: 00000001 2023-10-13 13:11:25.309 +1100 Error: ha_peer_hello_callback(src/ha_peer.c:5076): Group 1 (HA1-MAIN): Peer namespace on peer device missing too long, trying to restart 2023-10-13 13:11:25.309 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3353): Attempting 1 modify for sw.sysd.peers 2023-10-13 13:11:25.309 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3394): Setting up to modify sw.sysd.peers to peer. -> peerip:10…..xxx; sourceip:10.117.21.XXX; port:0x6e64 2023-10-13 13:11:25.309 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3418): Setting sysd node to: { 'peer.': { 'peerip': 10…..'port': 28260, 'reset': True, 'sourceip': 10.xxxXXX, }, } 2023-10-13 13:11:25.309 +1100 debug: sysd_queue_wr_event_add(sysd_queue.c:915): QUEUE: queue write event already added 2023-10-13 13:11:25.329 +1100 debug: ha_sysd_peerip_modify_callback(src/ha_sysd.c:3322): Successfully modified sw.sysd.peers 2023-10-13 13:12:45.388 +1100 Error: ha_peer_hello_callback(src/ha_peer.c:5076): Group 1 (HA1-MAIN): Peer namespace on peer device missing too long, trying to restart 2023-10-13 13:12:45.388 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3353): Attempting 1 modify for sw.sysd.peers 2023-10-13 13:12:45.389 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3394): Setting up to modify sw.sysd.peers to peer. -> peerip:10.xxxxxx; sourceip:10…xxx; port:0x6e64 2023-10-13 13:12:45.389 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3418): Setting sysd node to: { 'peer.': { 'peerip': 10….. Xxx, 'port': 28260, 'reset': True, 'sourceip': 10…XXX, }, } 2023-10-13 13:12:45.389 +1100 debug: sysd_queue_wr_event_add(sysd_queue.c:915): QUEUE: queue write event already added 2023-10-13 13:12:45.408 +1100 debug: ha_sysd_peerip_modify_callback(src/ha_sysd.c:3322): Successfully modified sw.sysd.peers 2023-10-13 13:14:05.466 +1100 Error: ha_peer_hello_callback(src/ha_peer.c:5076): Group 1 (HA1-MAIN): Peer namespace on peer device missing too long, trying to restart 2023-10-13 13:14:05.466 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3353): Attempting 1 modify for sw.sysd.peers 2023-10-13 13:14:05.467 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3394): Setting up to modify sw.sysd.peers to peer. -> peerip:10.xx; sourceip:10..1.XXX; port:0x6e64 2023-10-13 13:14:05.467 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3418): Setting sysd node to: { 'peer.': { 'peerip': 10.117… 'port': 28260, 'reset': True, 'sourceip': 10.117…XXX, }, } 2023-10-13 13:14:05.467 +1100 debug: sysd_queue_wr_event_add(sysd_queue.c:915): QUEUE: queue write event already added 2023-10-13 13:14:05.486 +1100 debug: ha_sysd_peerip_modify_callback(src/ha_sysd.c:3322): Successfully modified sw.sysd.peers ^Z2023-10-13 13:15:25.568 +1100 Error: ha_peer_hello_callback(src/ha_peer.c:5076): Group 1 (HA1-MAIN): Peer namespace on peer device missing too long, trying to restart 2023-10-13 13:15:25.568 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3353): Attempting 1 modify for sw.sysd.peers 2023-10-13 13:15:25.569 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3394): Setting up to modify sw.sysd.peers to peer. -> peerip:10.117…; sourceip:10.117….XXX; port:0x6e64 2023-10-13 13:15:25.569 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3418): Setting sysd node to: { 'peer.': { 'peerip': 10.117.. 'port': 28260, 'reset': True, 'sourceip': 10.117….XX, }, } 2023-10-13 13:15:25.569 +1100 debug: sysd_queue_wr_event_add(sysd_queue.c:915): QUEUE: queue write event already added 2023-10-13 13:15:25.589 +1100 debug: ha_sysd_peerip_modify_callback(src/ha_sysd.c:3322): Successfully modified sw.sysd.peers ^PA-220-02(passive)> PA-220-02(passive)> PA-220-02(passive)> debug software resstart process management-server Many Thanks, @kiwi @BPry

Pras · ‎09-22-2023

while unchecking the import option and following the configd log i can see below. But the interesting thing is i m not using any master key. The panorama managing this fw was in AWS and now i am trying to bring this to a Hw Panorama. 2023-09-22 12:15:55.816 +1000 Error: pan_cfg_create_imported_nodes(pan_cfg_config_import_handler.c:3145): Could not decrypt firewall config with given masterkey during import of device-group shared config 2023-09-22 12:15:55.816 +1000 Error: pan_cfg_process_device_config_import(pan_job_mgr.c:13499): failed to process device config import request 2023-09-22 12:15:55.816 +1000 Error: pan_jobmgr_process_job(pan_job_mgr.c:4530): device configuration import job has failed 2023-09-22 12:15:56.921 +1000 Error: _pan_schema_verify_node(pan_schema_obj.c:7600): is unexpected , node: cluster near line 1 2023-09-22 12:15:57.057 +1000 client authd reported op command FAILED

Pras · ‎09-22-2023

@reaper yes thats done do. Along with Force commit too. The issue is when i add the fw to the pano unchecking the import device config… it throws me an error with warning which is blank. But when i check the import the commit fails with eproxy error. This is very weird.

Pras · ‎09-21-2023

@reaper thanks for your reply! Panorama- firewall, all have been rebooted multiple times, removed the Fw and added it several times too. PANOS Version is 10.1.4 h4 Thanks

Pras · ‎09-21-2023

Hi Guys, We are trying to push configuration from Panorama HW to AWS Firewall but getting below error upon following the devsrv we see below: I am wondering what is "Unable to execute eproxy script. Error (512) " and how to go on resolving as it is not throwing any specific error msg to relate to an issue. Many Thanks, @BPry @kiwi

Pras · ‎08-15-2023

Hey @renzanjo11 , I meat loading the saved configuration (GUI) and using the command " Commit Force " from the CLI p.s: works for Panorama and the FW both.

Pras · ‎07-16-2023

Hi All, I have a situation where the Meraki sends error saying it cannot reach the internet which is connected to the PA and then to the Service provider's NTU. The NTU is providing DHCP connection to the PA's ethernet port. No error message is seen on the PA, but then each time this happens, we need to renew the DHCP Lease in the PA's interface and then the issue resolves. This happens intermittently, sometimes in 2/3 days. Interestingly the DHCP lease expires every 2-3 hours from the SP and cannot be determined if this could be the issue. Any help on troubleshooting this would be appreciated. Thank you in advance. @BPry @kiwi Regards,

Pras · ‎06-07-2023

Hi Guys, Just noticed that PanGPS debug is starting to capture packets that are detected by the external monitoring agent. I m wondering why it happens or if this is a native behavior. How do I go about stopping it? Is this even normal? Not all the endpoints are being detected, only a few. Thank you, @BPry @kiwi

Pras · ‎05-03-2023

Seems like the problem started ever since the Curl Patching was done. If there a known solution or steps on Palo for this?

Pras · ‎05-02-2023

Thanks guys, I can see the the API calls stopping with error msgs as below: It has UTC timings, not sure if this is PAN error or something else. All I could find in the latest php.debug was this but in the old ones i could see all the api calls happening successfully. Does this look like a pan issue to you?

Pras · ‎05-01-2023

Hi @OtakarKlier , Its not full time because of security purposes. As said, it was working all good for many months and stopped all of a sudden. Calls out and time out is like six hours apart, so should be fine I guess. Where can I see the logs for the API communication in the TSF apart from the monitor logs? I can only see VPN msgs there. I am confused as to where to start troubleshooting. P.s API admin gets successfully authenticated but unable to establish the VPN I do not see any such bugs identified Thanks,

Member Since	‎12-07-2021 10:00 PM
Date Last Visited	‎05-02-2024 06:21 PM
Posts	120
Total Likes Received	6

Online Status	Offline
Date Last Visited	‎05-02-2024 06:21 PM

About Pras

Re: High Disk Space Usage on /opt/pancfg partition

Re: Panorama Commit issue 10.1.4-H4 after upgrade from 10.1.3

Re: Ha config not in sync

Re: Ha config not in sync

Ha config not in sync

Re: Panorama Push Error

Re: Panorama Push Error

Re: Panorama Push Error

Panorama Push Error

Re: Panorama Commit issue 10.1.4-H4 after upgrade from 10.1.3

Error: Thermite Certificate is used for CDL communication

Blocking ChatGTP

Re: Verification of Generated Key Pair Failed

Re: Alarm “Device certificate status expired: it cannot be renewed” on panorama every day.

Re: PA 820 Has Validate Export and Reinstall all together under Software

DOTW: Function of Auto-Commit in PAN-OS

Re: Error: Thermite Certificate is used for CDL communication

Re: Blocking ChatGTP

Re: API calls to Azure failing

Re: Verification of Generated Key Pair Failed

Nominated Discussion: Removing PAN-OS Base Images

Nominated Discussion: HA Failover When Config is Not Synced

Re: High Disk Space Usage on /opt/pancfg partition

Re: Panorama Commit issue 10.1.4-H4 after upgrade from 10.1.3

Re: Ha config not in sync

Re: Ha config not in sync

Ha config not in sync

Re: Panorama Push Error

Re: Panorama Push Error

Re: Panorama Push Error

Panorama Push Error

Re: Panorama Commit issue 10.1.4-H4 after upgrade from 10.1.3

DHCP Interface Stuck

GPS Packet capture

Re: API calls to Azure failing

Re: API calls to Azure failing

Re: API calls to Azure failing

Unlock your full community experience!

About Pras